SPM: Panic if metadata is broken As the code stands, we check for NULL before updating the global metadata pointer, but do nothing if the check fails. That could leave us with the metadata for the previous partition, but the PSA API functions are part of that metadata, so having the wrong ones in place means that TF-M is broken. So let's panic cleanly as soon as we detect that. Signed-off-by: Chris Brand <chris.brand@cypress.com> Change-Id: I890bf5b07ab98f413695b76320b07c1158f452a8

commit: 9cdef4f18427bd0994117a643bf025540e69c967 [log] [tgz]
author: Chris Brand <chris.brand@cypress.com> Fri Apr 19 10:20:08 2024 -0700
committer: Anton Komlev <Anton.Komlev@arm.com> Mon Apr 22 22:29:21 2024 +0200
tree: 5fa096c5b3af293ebb29f0b79b670770e55854aa
parent: 4052b84d976c5af814ebece285546f0170e2b0c5 [diff]
diff --git a/secure_fw/spm/core/backend_ipc.c b/secure_fw/spm/core/backend_ipc.c
index 20d05c0..e29aa3d 100644
--- a/secure_fw/spm/core/backend_ipc.c
+++ b/secure_fw/spm/core/backend_ipc.c

@@ -540,9 +540,11 @@
     }
 
     /* Update meta indicator */
-    if (p_part_next->p_metadata) {
-        p_partition_metadata = (uintptr_t)(p_part_next->p_metadata);
+    if (p_part_next->p_metadata == NULL) {
+        tfm_core_panic();
     }
+    p_partition_metadata = (uintptr_t)(p_part_next->p_metadata);
+
     CRITICAL_SECTION_LEAVE(cs);
 
     return AAPCS_DUAL_U32_AS_U64(ctx_ctrls);
commit	9cdef4f18427bd0994117a643bf025540e69c967	[log] [tgz]
author	Chris Brand <chris.brand@cypress.com>	Fri Apr 19 10:20:08 2024 -0700
committer	Anton Komlev <Anton.Komlev@arm.com>	Mon Apr 22 22:29:21 2024 +0200
tree	5fa096c5b3af293ebb29f0b79b670770e55854aa
parent	4052b84d976c5af814ebece285546f0170e2b0c5 [diff]